Authorization

From MgmtWiki
Revision as of 11:43, 30 December 2018 by Tom (talk | contribs) (Solutions)

Jump to: navigation, search

Full Title or Meme

An action that will give a user an Authorization Code or an Access Token to a protected resource.

Context

  • Previously Authorization was considered to be the second step after the Subject had been successfully Authenticated.
  • The challenge of Authorization can be modeled as a decision theory where Authorization of access is granted after the Authorization service has evaluated the Claims presented and made a single decision about access where the Identity of the Subject is assumed to haven been appropriately Authentication. In the case of a failed Authorization the Subject was typically given instructions on the appropriated manual procedures to be follow to gain access to the resource. This method worked well within the confines of an Enterprise or Federation that had established the appropriate method for Authentication.
  • In the long term game theory would be a better model where the attacker and the Authorization process are engaged in a duel to gain illicit access to the resource.

Problems

The more challenging problem of Authorizing access to a Subject arriving over the public internet is that the level of Authentication that has been applied to the Subject may be adequate for initial access, but is insufficient for full access to all resources. It is that use case which is considered here.

Solutions

  • Bayesian Identity Proofing provides the means for a collection of authentication and verification steps to be validated as an iterative process that can continue until the Authorization to access the resource can be granted.
  • Where access needs to be granted over a long period, and the capability to withdraw that access before the Authorization grant expires, additional procedural steps must be implemented. One common method is to issue a refresh token that can be exchanged for a access token at the Authorization Service. In this use case the access can be revoked at the Authorization Service.

References